Infrastructure Security: System Hardening • Chapter 8  511

                 Protocol (LDAP) and the X.500 standard.This type of service contains general
                 information that is searchable.Typically, these directories are write-enabled to the
                 administrator or the owner of the record involved, and read-enabled to all other
                 users.A second type of directory services operation includes the operation of sys-
                 tems like Novell’s NDS and Windows 2003’s Active Directory. Both of these ser-
                 vices are based on the X.500 standard, as is the conventional LDAP directory
                 service.They are not LDAP-compliant, however, as they can interoperate with
                 LDAP directories, but have been modified for use in their respective directory ser-
                 vices.These types of directories usually follow the LDAP/X.500 naming conven-
                 tion to indicate the exact name of the objects, which include designations for
                 common name, organization, country, and so on.This might appear as CN=Joe
                 User, O=His Company or C=US, which would designate that the record was for Joe
                 User, a member of his company, in the United States. It is important to impose and
                 verify stringent control on what is allowed to be written to a records database and
                 who can write to it, because much of the information in this directory service is
                 used to authenticate users, processes, services, and machines for access to other
                 resources within the networks.At the same time, administrators will want to con-
                 trol who can read information in specific areas of the database, because they need
                 to restrict access to some parts of the directory information.
                    Hardening of directory services systems requires evaluation not only of the per-
                 missions to access information, but of permissions for the objects that are contained
                 in the database.Additionally, these systems require the use of the LDAP on the net-
                 work, which also requires evaluation and configuration for secure operation.This
                 includes setting perimeter access controls to block access to LDAP directories in
                 the internal network, if they are not public information databases. Maintenance of
                 security-based patches and updates from the NOS manufacturer is absolutely
                 imperative in keeping these systems secure.


                 Network Access Control
                 As seen in this chapter, hardening is an important process.Another way to harden
                 the network is to use network access control (NAC).There are several different
                 incarnations of NAC available.These include infrastructure-based NAC, endpoint-
                 based NAC, and hardware-based NAC.
                      1. Infrastructure-based NAC requires an organization to be running the most
                         current hardware and OSes. OSes such as Microsoft Vista has the ability to
                         perform NAC.





                                                                              www.syngress.com